Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Referrer-Policy to support multiple token values #371

Merged
merged 4 commits into from
Nov 14, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 5.0.2

- Updates `Referrer-Policy` header to support multiple policy values

## 5.0.1

- Updates `Expect-CT` header to use a comma separator between directives, as specified in the most current spec.
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ SecureHeaders::Configuration.default do |config|
config.x_xss_protection = "1; mode=block"
config.x_download_options = "noopen"
config.x_permitted_cross_domain_policies = "none"
config.referrer_policy = "origin-when-cross-origin"
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
config.csp = {
# "meta" values. these will shape the header, but the values are not included in the header.
preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
Expand Down
17 changes: 12 additions & 5 deletions lib/secure_headers/headers/referrer_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,21 @@ class << self
# Returns a default header if no configuration is provided, or a
# header name and value based on the config.
def make_header(config = nil)
[HEADER_NAME, config || DEFAULT_VALUE]
config ||= DEFAULT_VALUE
[HEADER_NAME, Array(config).join(", ")]
end

def validate_config!(config)
return if config.nil? || config == OPT_OUT
raise TypeError.new("Must be a string. Found #{config.class}: #{config}") unless config.is_a?(String)
unless VALID_POLICIES.include?(config.downcase)
raise ReferrerPolicyConfigError.new("Value can only be one of #{VALID_POLICIES.join(', ')}")
case config
when nil, OPT_OUT
# valid
when String, Array
config = Array(config)
unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
end
else
raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
end
end
end
Expand Down
20 changes: 19 additions & 1 deletion spec/lib/secure_headers/headers/referrer_policy_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module SecureHeaders
describe ReferrerPolicy do
specify { expect(ReferrerPolicy.make_header).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin"]) }
specify { expect(ReferrerPolicy.make_header("no-referrer")).to eq([ReferrerPolicy::HEADER_NAME, "no-referrer"]) }
specify { expect(ReferrerPolicy.make_header(%w(origin-when-cross-origin strict-origin-when-cross-origin))).to eq([ReferrerPolicy::HEADER_NAME, "origin-when-cross-origin, strict-origin-when-cross-origin"]) }

context "valid configuration values" do
it "accepts 'no-referrer'" do
Expand Down Expand Up @@ -60,14 +61,31 @@ module SecureHeaders
ReferrerPolicy.validate_config!(nil)
end.not_to raise_error
end

it "accepts array of policy values" do
expect do
ReferrerPolicy.validate_config!(
%w(
origin-when-cross-origin
strict-origin-when-cross-origin
)
)
end.not_to raise_error
end
end

context "invlaid configuration values" do
context "invalid configuration values" do
it "doesn't accept invalid values" do
expect do
ReferrerPolicy.validate_config!("open")
end.to raise_error(ReferrerPolicyConfigError)
end

it "doesn't accept invalid types" do
expect do
ReferrerPolicy.validate_config!({})
end.to raise_error(TypeError)
end
end
end
end